DEFCON 20 

SAFES AND CONTAINERS - 
INSECURITY DESIGN EXCELLANCE 




STACK-ON QAS 710 



DESIGN DEFECTS IN SECURITY 
PRODUCTS THAT HAVE REAL 
CONSEQUENCES IN 
PROTECTING LIVES AND 
PROPERTY 



GUN SAFES: A CASE STUDY 



i ♦ GUN SAFES AND PROPERTY SAFES 
ARE SOLD TO STORE WEAPONS 

♦ MANY ARE NOT SECURE 

♦ ANALYSIS OF INSECURITY 

- Boltworks and mechanism 

- Biometrics 

- Key Locks 



SECURITY REPRESENTATIONS 



♦ SECURE FOR STORING WEAPONS 

♦ CERTIFIED BY CALIFORNIA DOJ 

♦ PROTECT KIDS FROM GUNS 
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MANUFACTURERS, SECURITY, 
and ENGINEERING 

♦ Many manufacturers do not understand 
bypass techniques 

♦ Many imports, no security, just price 

♦ Large reputable companies sell junk 

♦ Representations that are not true by: 

- Manufacturers 

- Dealers 

- Retail 



"INSECURITY ENGINEERING": 

A DEFINITION 

♦ Intersection of mechanical and security engineering 

♦ Must have both mechanics and security 

♦ Must understand bypass techniques and design against at 
all stages in process 

♦ Develop a new way of thinking by Manufacturers 

♦ Problem: Engineers know how to make things work 
but not how to break them 




MYTHS ABOUT SECURITY AND 
PRODUCT DESIGN 

♦ It is patented 

♦ Engineers think the product is secure 

♦ Product has been sold for many years 

♦ No known bypass tools or techniques 

♦ Product meets or exceeds standards 

♦ Testing labs have certified the product 

♦ Government labs say its secure 



♦ No consumer complaints 



STANDARDS: THE PROBLEM 



. ♦ MEET ALL STANDARDS BUT THE LOCK OR 
SAFE CAN BE EASILY OPENED 

- Standards are not up-to-date 

- Not test for many methods of attack 

- Consumer relies on standards for security 

- Just because you meet standards does not mean 
the lock or safe is secure 

♦ STANDARDS CAN MISLEAD THE PUBLIC 



♦ GUN LOCK AND SAFE STANDARDS ARE 



INADEQUATE AND DO NOT PROTECT 




1 CALIFORNIA DOJ STANDARDS 

ESSENTIALLY WORTHLESS 




REGULATORY GUN SAFE 
STANDARDS - CAL DOJ 

Section 977.50 of the CA Code of Regulations 

♦ Shall be able to fully contain firearms and provide for their 
secure storage; 

♦ Shall have a locking system consisting of at minimum a 
mechanical or electronic combination lock. The 
mechanical or electronic combination lock utilized by the 
safe shall have at least 10,000 possible combinations 
consisting of a minimum three numbers, letters, or 
symbols. The lock shall be protected by a case-hardened 
(Rc 60+) drill-resistant steel plate, or drill-resistant 
material of equivalent strength; 



CAL DOJ STANDARDS: 
BOLT WORK 

i ♦ Boltwork shall consist of a minimum of 
three steel locking bolts of at least X A inch 
thickness that intrude from the door of the 
safe into the body of the safe or from the 
body of the safe into the door of the safe, 
which are operated by a separate handle and 
secured by the lock; 



C AL DO J STANDARDS : 
CONSTRUCTION 

4 ♦ Shall be capable of repeated use. The 
exterior walls shall be constructed of a 
minimum 12-gauge thick steel for a single- 
walled safe, or the sum of the steel walls 
shall add up to at least . 1 00 inches for safes 
with two walls. Doors shall be constructed 
of a minimum of two layers of 12-gauge 
steel, or one layer of 7-gauge steel 
compound construction; 



CAL DOJ STANDARDS: 
DOOR HINGES 

j ♦ Door hinges shall be protected to prevent 
the removal of the door. Protective features 
include, but are not limited to: hinges not 
exposed to the outside, interlocking door 
designs, dead bars, jeweler' s lugs and 
active or inactive locking bolts. 



STANDARDS: 
NOT REAL- WORLD TESTS 

*j ♦ Standards do not protect consumers 

♦ No testing of covert entry and mechanical 
bypass techniques 

♦ Not real-world testing, aka "kids" 

♦ Lowest common denominator for testing 
criteria was adopted for standards 

♦ Allows certification of gun safes that can be 
opened in seconds by kids 

♦ Most states rely on California as Model 




SMALL GUN SAFES 
MAJOR RETAILERS 



amazon.com 




EVERY SEASON STARTS AT 

DICKS 




RETAILERS DON' T KNOW AND DON' T 
CARE: IT' S ALL ABOUT MONEY 

♦ Contacted four major retailers to warn 

♦ Only one was even concerned 

♦ No action taken by any of them 

♦ Stack-On: Absolutely no interest 




MISREPRESENTATIONS 
ABOUT SECURITY 

♦ California DOJ Certified 

♦ Can be relied upon as secure 

♦ Are safe to secure guns 

♦ Cannot be opened by kids 

♦ Only way to open: breaking 

♦ Can be relied upon by consumer 

♦ TSA Approved 



DEALERS MISLEAD THE 
PUBLIC ABOUT SECURITY 



EDDIE RYAN OWENS 
11/27/06-09/15/2010 




DETECTIVE OWENS CASE: 
Clark County Sheriffs Office 

8 ♦ 2003, Deputy's son shot 10-year old sister 
with service weapon 

♦ Sheriffs office mandated all personnel use 
gun safes at home and office 

♦ Purchased for $36 each from Stack-On; 
several hundred units. State purchased 
thousands of them 

♦ Mandated use for weapons at home and 
office and storage of evidence 




STACK-ON SAFE FOR 
SHERIFFS DEPARTMENT 

3 ♦ UC Agent Eddie Owens had weapon in 
mandated safe in bedroom closet 

♦ September 15, 2010, safe is accessed by 
child 

♦ Three-year-old Eddie Ryan is shot and dies 

♦ Investigation clears father 

♦ Father is fired 1 4 months later for speaking 
up about defective safes 

♦ Other deputies complain as well 



CRIMINAL INVESTIGATION 



♦ NO DNA TESTS 

♦ NO GSR TESTS ON VICTIM OR SISTER 

♦ NO FORENSIC ANALYSIS OF SAFE 

♦ NO EXPERTISE BY LOCAL LAB 

♦ NO UNDERSTANDING OF HOW THE 
SAFE WAS OPENED 

♦ DON' T KNOW WHO FIRED THE 
WEAPON, ALTHOUGH 1 1 - YEAR OLD 
SISTER CONFESSED 




SECURITY LABS INVOLVEMENT 
FORENSIC INVESTIGATION 

♦ Examined two safes from same batch; 

♦ Analyzed bolt mechanism, solenoid; 

♦ High speed video from inside of safe to 
document the problem; 

♦ Analyzed similar safe from AMSEC, 
GUNVAULT, and BULLDOG; 

♦ Contacted STACK-ON 

♦ Expanded inquiry to all STACK-ON 
models 



STACK-ON SAFE: 
FROM SAME BATCH 



INTERNAL MECHANISM: 
THE DEFECTIVE DESIGN 




HOW A THREE YEAR OLD 
CAN OPEN A SAFE 




AMSEC DIGITAL: 

SAME DEFECTIVE DESIGN 




OUR INVESTIGATION 



■ ♦ FOUR MANUFACTURERS: AMSEC, 
STACK-ON, GUNVAULT, BULLDOG 
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„ ANALYZED 10 SAFES: 
All Defective Security Designs 

■ ♦ SECURITY DESIGNS 

- Push-Button keypad lock 

- Fingerprint swipe reader biometric 

- Fingerprint image reader biometric 

- Multi-Button combination 

- Key bypass: wafer or tubular lock 

♦ ALL COULD BE BYPASSED EASILY 

♦ NO SPECIAL TOOLS OR EXPERTISE 



BYPASS TECHNIQUES 



i ♦ COVERT ENTRY METHODS: NONE 
COVERED BY DOJ STANDARDS 

♦ Shims 

♦ Straws from McDonalds 

♦ Screwdrivers 

♦ Pieces of brass from Ace Hardware 

♦ Paperclips 

♦ Fingers 





STACK-ON PC ( 



PortabLa Cast with ElHtromt Lock 



ElKlrniw btk rflhw, '.at a J Id 8 digit WrtlbrtJltUrt W fct 
progrdrnrTOd into tte eatt Ircludu a backup t'Cwble tey 

5hm ine design at she- use allara ior stw age in 3 briefcase, 
under Ehe seal d enany care and trucks. Foam padded bollom 
prolKlSOTi?Cfil5 from Kr^thiiyf 




B*xly is di-rtjriisl lor tfip lo (x- -Vci i.-H wlh MteKtNt 

415001b, lestl. Cable w included. 
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STACK-ON PC 650: 
METHODS OF ATTACK 




STACK-ON PC 650 




REMOVE RUBBER COVER 



ACTIVATE LATCH 





BYPASS PROGRAM BUTTON 




RE-PROGRAM THE CODE 




SHIM THE WAFER LOCK 



STACK-ON F 



PDS-500 

Drawer Safe with Elect rank Uck 
TcSttd JilttiJ to d C jli'Ornki DOl Fl^rffi 

5**1fiy Device 

2 lwe ad on locking boles and concealed hinges. 

fMIWin^h^^if is ilKl|l*dwPl#«ft Hit. 




MAKE A HOLE AND 
MANIPULATE MECHANISM 




BYPASS SOLENOID WITH WIRE 





)CK BYPASS 





SHIMS AND PAPER CLIPS 




FALSE PERCEPTION OF SECURITY 

♦ FINGERPRINT READERS DON' T 
MEAN SECURITY 




Great security for pistols, 
ammo and valuables at home, 
on the road or in the office. 

Tested and listed as California Department at 
Justice firearms safely devices lhai conform to itie 
requirements of Calif ornia Penal Code Section 1 2088 
and (he relations- issued thereunder. 

Solid steel, pry resistant, plate steel doors, steel live 
action locking bolts and concealed hinges provide 
greater security. 

New models 1 ■ ■-: i . L: b> biometrfc locks with back Up 
electronic touch pad and trouble key. 

Electronic lock can be programmed to "beep" 
when the numbers on Hie key pad are pressed or 
programmed to be 5* lent 






FINGERPRINT READER AND 
WAFER LOCK = SECURITY 



■ ■ 







FINGERPRINT READER 
MODULAR MECHANIS 




■ - ■ If 





PUSH THE READER AND 
DISLODGE THE MODULE 





ACCESS THE SOLENOID 




WIRE OPENS THE SAFE 




QAS-1200-B 

Quirk Access Safe with Biometric Lock 



Tenet! jnd I^Ltd as a Cairfbfntf DDJ Firearm 
Safety Dewte. 

B»0rt^1f< Ittk iUhi a«*pi 2B *+iff*rii fnH^rpin>n with frtfk 
up lrauble kf/ Biorrteiric reader n easy u use and program 
Bunnell totk* providu ^-e^ief ieouhiy - no turrahrwiiKiflSi to 
remember. 

Huldi -.Urid.ird M^d fMtL^ M*JOflhtr mJIujMr 
Included lemuiMhlejhelf. F&am paddetf boilom 

5"ilr pt-cMtf Wks lv nwuniir^ b> in* tap. w** <n a t**H 
F Jifl*™g r-juJv.'dir o s-'-l- u u*^3 wfr* !H^r 





SPEC 
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p QAS 1200-B BIOMETRIC SAFE 
OPEN WITH PAPERCLIP 



TACK-ON QAS-1200-B 



THE STACK-ON DESIGN 



GLUE = STACK-ON SECURITY 




HIGH-TECH TOOL TO OPEN 

PAPERCLIP 




OPENING TH 



E QAS 1200-B 






STACK-ON QAS-7 10 



QAS-710 

□rawer Safe with Motorized Electronic Lock 



1 1 ■ 1 1 ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ n 
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IgS Tesled and lifted # ? C^lifo^nia DOJ firearm Safety Devkg. 

All steel conslruction and low pro^le design allows for storage in a drawer 

Lid pops up when the cowu security code us entered 
far instant deceiv. 

Sale ha-i pre- drilled holes lor mounting in 
a drawer or on a shelf. 

FasLer^g, fwJdwar* * nvluded wirt ea* sdf*. 




10- 1 ft* *id+(26CJn| 
JcnpU?.? cm | 



STACK-ON QAS-7 10 



i ♦ MOTORIZED MECHANISM 

♦ ELECTRONIC KEYPAD 

- Open with straw from McDonalds 

- Open with brass shim 

- Open with Screwdriver 

- Reprogram the combination by accessing the 
reset switch 



OPENING THE STACK-ON 
QAS-710 ELECTRONIC SAFE 



GUNVAULT GV2000S 



OPEN THE GUNVAULT 



BULLDOG BD1500 




COMPETENT SECURITY 
ENGINEERING MATTERS 



* ♦ SECURE PRODUCTS 

♦ PROTECTION OF ASSETS, LIVES, AND 
PROPERTY 



♦ DEFECTIVELY DESIGNED PRODUCTS 
HAVE CONSEQUENCES 

♦ LIABILITY 

♦ IF YOU HAVE ONE OF THESE SAFES 
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